Headline
CVE-2023-22909: ⚓ T320987 [Unplanned, S] Mobile frontend's history makes really slow db queries
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.
**
[Unplanned, S] Mobile frontend’s history makes really slow db queries
Closed, ResolvedPublic1 Estimated Story PointsSecurity
**
Edit Task
Edit Related Tasks…
Edit Related Objects…
Mute Notifications
Protect as security issue
Award Token
Flag For Later
Risk Rating
Medium
Author Affiliation
WMF Technology Dept
- Task Graph
- Mentions
Event Timeline
Ladsgroup added a parent task: Restricted Task.
Jdlrobson renamed this task from Mobile frontend’s history makes really slow db queries to (Unplanned, S) Mobile frontend’s history makes really slow db queries.Nov 7 2022, 6:45 PM
Jdlrobson renamed this task from (Unplanned, S) Mobile frontend’s history makes really slow db queries to [Unplanned, S] Mobile frontend’s history makes really slow db queries.Nov 7 2022, 6:45 PM
Comment Actions
@Mabualruz will take a look.
Long term we’d like to get rid of this class/page (T305113), but the change requested here seems very modest so we’d be happy to take a look.
@Ladsgroup presumably review should happen on this ticket and we shouldn’t post anything to Gerrit?
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed Risk Rating from N/A to Medium.
Comment Actions
@Mabualruz will take a look.
Long term we’d like to get rid of this class/page (T305113), but the change requested here seems very modest so we’d be happy to take a look.
@Ladsgroup presumably review should happen on this ticket and we shouldn’t post anything to Gerrit?
Indeed. It feels like re-inventing the wheel. I don’t mind pushing for the removal of the mobile special page. I don’t think it’d be much work.
Comment Actions
LGTM in general not a big change, maybe just need to update the constructor’s PHPdocs.
Comment Actions
LGTM in general not a big change, maybe just need to update the constructor’s PHPdocs.
I removed the phpdocs because it wasn’t giving any extra information and already handled by typehints
Comment Actions
Deployed now. For what it’s worth, it had a small issue that I fixed in this:
sbassett changed the task status from Open to In Progress.EditedNov 15 2022, 4:45 PM
sbassett lowered the priority of this task from Medium to Low.
Comment Actions
Thanks, @Ladsgroup. Since ext:MobileFrontend isn’t bundled, I’ll track this one for the next supplemental security release at T318974. And within the list of currently-deployed security patches at T276237.
Comment Actions
I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that’s not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .
Comment Actions
I believe the security team will handle applying this to master and resolving this ticket. Please feel free to reach out if that’s not correct and/or if you need anything from web team by tagging Readers-Web-Backlog .
We can, sure. But that likely wouldn’t happen until closer to the end of the quarter, when we prep the upcoming supplemental security release (T318974). Since this is patched in wikimedia production, and ext:MF isn’t bundled, we can definitely make this task public and folks can start working on any relevant backports if they’d like. But as stated, the Security-Team typically doesn’t do that right away, but closer to the actual end-of-quarter supplemental release.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL